IPv6 in the Data Center: is Cisco ready?

With the recent Cisco’s push into the Data Center environment and all the (not so very unreasonable) fuss around IPv4 address depletion and imminent need for IPv6, I wanted to check whether an all-Cisco shop could do the first step: deploy IPv6 on Internet-facing production servers. If you follow the various design guidelines, your setup will have at least the following elements (and I bet someone from Cisco has already told you that you also need XML firewall, Ironport and WAAS appliance):


Now let’s see how well these boxes support IPv6.

I’m describing the Data Center IPv6 deployment issues in the Enterprise IPv6 Deployment workshop. The diagram above was taken straight from the workshop materials.

Routers and switches (both Catalysts running SXI release and Nexuses running latest NX-OS) support everything you need, including IPv6 layer 3 virtualization (IPv6 in VRF, also known as 6vPE).

I couldn’t find 6vPE support in IOS XE Release 2, but then you’d most likely need it on the core switches, not on the edge routers.

ASA is a bit of a problem – the current software release does not support failover configurations with IPv6. The situation rapidly worsens as you go deeper into the Application Networking Services. I wasn’t able to find any mention of IPv6 in ACE, XML Gateway or WAAS configuration guides. If I’ve missed something, please let me know.

The status of IPv6 support in various Data Center components is summarized in the following table:

Equipment Level of IPv6 support
RoutersYes (6vPE on IOS XE might be missing)
Firewalls (ASA)No redundancy (IPv6 failover doesn’t work)
Data center switchesYes (Catalyst and Nexus)
Firewall Service Module (FWSM)Not in transparent mode, on the main CPU (awfully slow) in routed mode.
Load balancers (ACE)No
Application-level firewall (XML Gateway)No
WAN optimization (WAAS)No
IronportNo

10 comments:

  1. Not only does failover with ASAs and IPv6 not work, it's actively destructive, as both ASAs in a failover cluster send RAs. Which, I am pretty sure, cannot be that hard to fix.

    ReplyDelete
  2. Yes I ran in to the same issue with an active/passive ASA cluster and IPV6. Found that te second ASA was reesponding to ND and RAs. The only way I could resolve this was installing a standalone ASA as an IPV6 gateway. Worked pretty well though.

    Apparently 8.2(2) will solve some of these issues...

    ReplyDelete
  3. The ASA's also have issues with RADIUS authentication when you telnet or SSH to the device on its IPv6 address. Local authentication works fine.

    ReplyDelete
  4. If you do any routing with 4948's and want to do EGIRPv6 they don't support it.

    ReplyDelete
  5. I can confirm IOS XE on the ASR1k platform doesn't support 6VPE, it -almost- works and it seems they just need to iron out some minor CEF bug, but Cisco insists it's not supported at all. I was told it'll be available in 12.2(33)XNG due half 2010 :(
    PS. Ivan, why do you say 6VPE is not likely needed on edge routers? The edge is -exactly- where you need it imho.

    ReplyDelete
  6. you don't wanna do IPv6 routing on 4948's anyway because it's all CPU punted. They fall over and die with only small amounts of IPv6 traffic :(

    ReplyDelete
  7. You need 6VPE on the Service Provider edge routers, not on the edge of a Data Center. You need 6VPE within the Data Center to implement L3 virtualization.

    ReplyDelete
  8. Ivan: having an ISP background, with edge router I referred to the SP edge router (PE), so I guess we're in agreement :)

    ReplyDelete
  9. Does anyone know if you can use PPPoE with IPv6 on an ASA ??

    ReplyDelete
  10. Does anyone know if you can use PPPoE with IPv6 on an ASA ??

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.